Bind 9.1 Question

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Jan 30 01:57:24 UTC 2001 

	This is not reproducible.  i.e. I cut and pasted the acl
	and added the allow-* clauses to a working config and
	could query via 127.0.0.1.

	Are you 100% sure you have restarted named with this exact
	configuration?

	If it still exists after restarting named log a bug report
	with bing9-bugs at isc.org.

	Mark

> 
> With dig, it gives the same type of responses.  Although 9.1 might not
> support it, I was under the impression that nslookup use is decprecated,
> not
> completely removed all together.  I'm not too terribly familiar with dig,
> but just typing "dig" at the prompt produces this:
> 
> 
> [root at news doc]# dig
> 
> ; <<>> DiG 9.1.0 <<>>
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28309
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;.				IN	NS
> 
> ;; Query time: 10 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 30 00:11:57 2001
> ;; MSG SIZE  rcvd: 17
> 
> 
> Notice the "REFUSED" part still?  This is what I'm having trouble with...
> Again, it's probably really braindead what I'm missing, but I'm not seeing
> it.
> 
> If anyone has a look at the named.conf snippet I sent earlier, please tell
> me what option I'm missing or need to axe.
> 
> W
> 
> On Mon, 29 Jan 2001, Nguyen, Andy wrote:
> 
> > nslookup is not supported in Bind 9.1.  Use dig instead.
> >
> > -----Original Message-----
> > From: Willis L. Sarka [mailto:wlsarka at the-republic.org]
> > Sent: Monday, January 29, 2001 5:50 PM
> > To: bind-users at isc.org
> > Subject: Bind 9.1 Question
> >
> >
> >
> > Greetings,
> >
> > I have Bind 9.1 up and running successfully, but I have one small problem.
> > I can perform an nslookup query remotely (i.e. not on the smae machine
> > that Bind is running on), and it works just fine.  However on the same
> > machine that is running Bind 9.1, when I do a nslookup, I get a "refused"
> > messages.  I'm sure this is probably something _really_ that I'm missing,
> > but I've been stuck for a few hours, so here I am.
> >
> > Sample nslookup on machine running bind 9.1:
> >
> > [root at news /root]# nslookup
> > Note:  nslookup is deprecated and may be removed from future releases.
> > Consider using the `dig' or `host' programs instead.  Run nslookup with
> > the `-sil[ent]' option to prevent this message from appearing.
> > > news.bldr.rtone.com
> > Server:		127.0.0.1
> > Address:	127.0.0.1#53
> >
> > ** server can't find news.bldr.rtone.com.: REFUSED
> > >
> >
> >
> > Messages from the log files:
> >
> > Jan 29 22:45:13.983 security: client 127.0.0.1#2030: query denied
> >
> > Here is my named.conf:
> >
> > acl "internals" { 127.0.0.1; 172.16.0.0/20; 172.16.16.0/24; 172.16.5.0/24;
> > 192.168.253.0/24;  };
> >
> > controls {
> >         inet 127.0.0.1 allow { localhost; } keys { namedkey; };
> > };
> >
> > key namedkey {
> >         algorithm "hmac-md5";
> >         secret "tP6O603HGrPW6bV59JV4vw==";
> > };
> >
> > options {
> >         auth-nxdomain no;
> >         directory "/";
> >         pid-file "named.pid";
> >         allow-query { "internals"; };
> >         allow-recursion { "internals"; };
> >         allow-transfer { "internals"; };
> > };
> >
> > logging {
> >         channel namedlog {
> >                 file "var/log/named.log" versions 5 size 2m;
> >                 print-time yes;
> >                 print-category yes;
> >                 };
> >         category xfer-out { namedlog; };
> >         category panic { namedlog; };
> >         category security { namedlog; };
> >         category insist { namedlog; };
> >         category response-checks { namedlog; };
> > };
> >
> > //
> > // a caching only nameserver config
> > //
> > zone "." {
> >         type hint;
> >         file "named.ca";
> > };
> >
> > zone "0.0.127.in-addr.arpa" {
> >         type master;
> >         file "named.local";
> > };
> >
> > zone "rtone.com" {
> >         type master;
> >         file "db.rtone.com";
> > };
> >
> > zone "bldr.rtone.com" {
> >         type master;
> >         file "db.bldr.rtone.com";
> > };
> >
> > zone "dnvr.rtone.com" {
> >         type master;
> >         file "db.dnvr.rtone.com";
> > };
> >
> > zone "smartpoint.com" {
> >         type master;
> >         file "db.smartpoint.com";
> > };
> >
> > .... more reverse zones, etc...
> >
> >
> >
> > I know the logging section needs work.
> >
> >
> > Rndc is working just fine on the nameserver box, if that matters, and
> > named starts and runs fine.
> >
> >
> > Again, any help is appreciated.  This is the last step before I convert
> > from Bind 8.2.2_P7 to Bind 9.1.  I'd like to never again worry about a
> > Bind 8.x buffer overflow, or root exploit.
> >
> > Thanks,
> > Will Sarka
> >
> >
> >
> >
> 
> -- 
> ---------------------------------------------
> Those, who would give up essential liberty to
> purchase a little temporary safety, deserve
> neither liberty nor safety.
> 
> -Ben Franklin
> Historical Review of Constitution and
> Government of Pennsylvania
> ---------------------------------------------
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list